IATC - Hungry, Hungry Hackers: A Hacker’s Eye-view of the Food Supply

welcome to the I am the calvalry track hungry hungry hackers we were delighted to welcome and invite sick codes and due to reasons travel and otherwise Mr codes was not able to join us today however we do have Mr Casey J Ellis uh to to be present and help us walk through some of the issues related to challenges in Security in our food uh ecosystem Casey is a chairperson founder and chief technology officer of bug crowd as well as co-founder of the disclosed. project Casey has been in the business for over 20 years has done amazing things and we look forward to learning more about what is going on here this will take about 20 seconds to

light up so l but it will light up I'm sure it will all right Casey who is not sick tell us where we're going to go in our next 45 minutes thank you thank you so thanks everyone for coming um has anyone seen the we are all sick codes meme um or sub meme on on the twitters and if you haven't it's all good um so basically uh you know I think the idea is that um when we learned that sik was going to have some trouble uh getting into the country Josh and I decided over a couple of beers at a cabana yesterday that um you know all tall redheaded Australians are basically the same if

they work in this industry and it's it's actually not just that um when sik did his first presentation at Defcon last year and actually started presenting security research um it's the first time his his face had actually been on the internet and people thought he was me um so we ended up swapping out it just turned into this whole fun little meme um and uh you know the interesting part and why I thought you know what I could actually probably have a go at just running through this content and and getting it out there um is because I was actually involved in a bunch of the stuff that um that he's going to talk through uh in my capacity as you know

bug crowd disclose like all of all those sorts of things so I am sick codes for the purpose of this presentation um what gets really funny so yeah if if this is like you know hopefully that uh explains any jankiness in in how this all kind of plays out but it's a cool story and like to me what it is um obviously the the title is is um food specific right but to me what this is is is really a story of how security research like fundamentally changed the perception of safety criticality in an industry um which is something that's very near and to my heart so we're good to go is everyone confused sufficiently at this

point in time I know I am all right let's rock and roll and let's honestly let's have some fun with this because it's going to be a bit strange but I'll get through it and and you guys can ask questions the other thing as well is that um Paul Roberts gets a shout out there's actually a panel following this and that's going to be more of a conversation around kind of my my personal opinions when it comes to this stuff so this is partly representing you know sik and his point of view on things so all of those and now I'll get into his disclaimers right told you be fun um this is independent research all

security vulnerabilities reported to vendors nothing represents employer partner Association neither past or present other than description in the presentation nor does it represent necessarily Casey um that's a good call out um slides of CCO Etc all right so basically sik is a like a pretty prolific and fairly recent uh security researcher in terms of you know when he popped onto the scene I actually met him for the first time when he doxs me through odesk um in in 2020 that's a fun story that we can tell some other time um but since then he's actually had a pretty prolific vulnerability disclosure and security research career and a lot of his work is actually you know become

it's I don't think that these things are complete in terms of their impact but what it did was it precipitated and catalyzed a bunch of changes in thinking um and that's kind of what we're going to go into here and this is where you can find me SL him there should be some sort of drinking game for whenever I get that confused right is that no but really yeah as I said this talk is is about you know how security research can actually change um cause change and and his views on that right so the birth of his security research the birth of my all right is it his or my what do you reckon

vote both both all right you guys are tracking it's all good I'm I'm twisting myself and Nots up here but you guys are fine so the birth of the idea um for getting into agricultural research was actually Paul um uh seeing I think a comment that that Paul made uh does John Deere have any cves not sure what precipitated that exactly and I'm sure we can get into that later but that was the the origin of it so Paul is um very much focused on the right to repair angle of of of all of this stuff I think what happened in in six mind at that point in time was the idea that like right to repair is actually

inherently less friendly from a security standpoint and if you add if you combine that with a safety critical or a nation like a national security um critical industry you've got a real problem at that point potentially so s goes off and does some security research finds a vulnerability where basically if you submited event um from a free developer account you could get back all of the customer details in the response and I believe that this was innumerable so you could basically go through and and get all those those details so you know in the hands of um a cyber criminal or a nation that wanted to understand the mechanics of another country's food supply that's

pretty handy right um I'm not quite sure what the slide was for uh why companies need to be ready to receive yeah so so really what he's talking about there is the fact that like this is something thing that happens you know I I I think we're at a point now where V disclosure and Bug Bounty it's being talked about a lot a lot of people are adopting it obviously you know that's near and dear to my heart um but this is really one of the reasons why um that needs to be in place as a as a standard thing because this this happens like humans right code humans make mistakes bad things happen hopefully you find someone who's

actually friendly like sick that can you know pick it up and disclose it and try to take it through but as a as a vendor um you just kind of need to expect this stuff right so yep off you went and uh and told the story it got picked up and it went from there um John Deere's response was was basically not quite in line with uh with with six kind of perception of um the actual technical problem uh and by the way this research um he goes into some other stuff which I'll get to in a sec but this is research is the in the closing keyn note of Def Kong last year I highly recommend it on the technical

slide if you're into that type of thing um but they basically said we immediately investigated and and fixed things um you know nothing enabled access to customer accounts Etc so you know who's who's a hacker in the room here what's the first thing you do when when a vendor says that like nah bet you missed something and they did um so basically what happened he did some additional research to be able to get you know details in a different way um I believe he continued to kind of pivot and you know all those stories are out there online as well um so okay cool um this is actually yeah the point of this is that some of the information that he

was able to get out in his subsequent research was a lot more sensitive from like a pii and a and a user standpoint so basically John Deere responded to this by saying no we meant sensitive data um so that was kind of part of their fixs right and again this is his opinions I'm just trying to render them as anyway this is fun um yeah this is not I mean speaking as myself this is not an uncommon initial interaction if you got a vendor that goes from never having experienced this to experiencing it for the first time they freak out and do stuff like this it's not uncommon um it's all the road to doing it better ultimately uh but

yeah John Deere established a private bug Bounty was no Bounty and no disclosure um sik found this very confusing uh and you know he he reached out to me um we'd already been talking on some other stuff uh but we talked about the general mechanics of of you know Bounty incentives F disclosure like what does it look like as an organization like what I was just saying before it's like this is actually it's not ideal but it's also not uncommon um so what's the path from not doing this at all to doing it well and what are the bumps in that path so we had a good chat about it and and basically you know I kind of laid out

some of the different things that from a a pure security researcher standpoint can seem quite unreasonable and seem quite counterproductive to to the outcome that you think is the right thing um but when you think about it through the lens of the recipient and the and the journey they have to go through like the you know five stages of vulnerability grief like all these different things that happen they're pretty common and and it's all about the next step right so that was the uh the um this is where I get to introduce myself as me literally got these slides 24 hours ago too by the way so we jamming on who says what yeah whatever

y'all get it so this was one of the things I said um basically like like the idea that like full disclosure is not an ideal outcome right I actually um did a speed debate in favor of full disclosure at a at an MBT con one time and one because to me full disclosure is like you know people don't like it but it's kind of like not liking debt and taxes like it's the default failure state if you're a security security researcher who doesn't feel like they can get um people to pay attention to what you're doing right so you know if there's messing around then there's a higher likelihood that you're going to find out

so what does sik do he goes off and and does additional security research on on John Deere um and this is the tractor hack stuff that uh that popped out this is yeah that's what I was referring to before like as a iot uh exploitation primer this is a fantastic video he's super funny uh to to watch as well um and uh you know it kind of gets the point across but kind of went through this whole process of trying to figure out how to jailbreak a head unit um keep in mind that this is a a product that's meant to be a sass offering um which is where the whole right to repair thing

comes into it but he was looking at it through the security lens right um found a whole bunch of stuff watched that talk cuz I'll butcher it if I try to resell it and that was the outcome this is where everyone claps he on the p y and this was like I said was seeing this um presented but like this was him going deeper to make a bigger Point like what he was trying to do was to get the vendor to understand that like no this is you guys don't seem to get the risk that's associated with what I'm finding um which is always a perilous thing because security researchers don't necessarily have the context of the or

organization but sometimes they're just not getting it have to do stuff like this um this is at uh at Defcon so really this is what he was trying to get across through through the story arc like should more bugs be dropped should more things be disclosed is that the right thing to do is the wrong thing to do I obviously have a lot of opinions on this one um but from his his perspective you know does it devalue the bug and and make it less likely to be used by cyber criminals trying to do their thing stealthy for for example because all of a sudden it's public knowledge and you got ioc's you can defend different things like that you're

actually devaluing the utility of the buet that point on the flip side is it newsworthy is it actually going to highlight um the fact that like bad cyber things happen to a particular domain um like it did in this case right um the other thing I would say about zik is that his his um sense of telling a story and actually getting people to understand like really complicated technical stuff is phenomenal and he actually used that to to kind of get the message out um you know is there an NDA is there a VDP what the [ __ ] are we doing here like all all those things come into it um but ultimately like this

as a question that is good to ask yourself I think is is is very very valid and a lot of what he was trying to think through at the time so I'm not entirely sure what he was tring no I think the point of this slide really was the idea that um the the financial cuz bugs are bugs are worth something right if if you've got a vulnerability you can do bad things with it you can sell it to a third party you can sell it through a bug Bandy program you can use it for clout and drop it on the internet um they all have in terms of you know thinking about like putting

food on the table uh a different kind of return and that's just the nature of a bug um I think what he's saying here is that's not a linear thing it's going to be an exercise for the reader and and really depend on what's actually happen at the time um and of course this one which I think is a little bit more clear the the idea that like if you're thinking about as a security researcher that's focusing on on Public Safety impact which is you know the whole theme of the covery track the bigger the bug gets the more you know I hser whatever you want to say that's not balls in this case cuz he can

pull that off and I can't um it takes more nerve uh to to get that stuff out out there cuz the consequences increase with the amount of impact that you're having right so there is that Dynamic to it as well so coming back to you know where I started with this like the way that I'm my bias and how I'm telling this story is really to encourage people to think about the security research as being able to have this type of impact right um these are some of the things that you need to factor in as examples um going back to Paul's original question are there any cves on underwater sea vessels this is I debated removing the slide cuz it's

like um but he's not wrong you if there was transparency and if there was proper you know the proper ability to call out some of the safety issues that existed in that system would the things that happened have happened in the same way maybe not any CVS on high miles Rockets um you think about the ability for you know the kind of malicious actors or adversarial actors that are looking for the same information that's a good one answer um so he's kind of trying to paint that picture there like ultimately like is dropping oday and roasting companies helpful right ever um again back to my opinion I think it's not ideal and it happens as a option of Last Resort is it

helpful it was here um does it mean it's always helpful no I I don't think it's a thing that you need to do necessarily all the time but thinking about it through this lens it's not just a default bad thing right um oh good closer closer to the mic it's the Australian accent and the fact that I've just come off for flight from Thailand right he lives in Thailand I um so this is actually a issue this was actually the first time we he and I worked on a on a submission or a disclosure together um and it got pretty interesting pretty quickly um basically he was doing research on TCL televisions uh they have

a Android subsystem um he went fiing through that and found a bunch of stuff it's like that's weird that's obviously vulnerable but it actually looks like it was put there on purpose um what should I do with this Casey reached out to me um and yeah I immediately got a little bit nervous about the whole thing because it's like okay this is this is actually going to have some impact and sure enough it did um basically it was determined uh we got it into the right hands it was determined it was a deliberately inserted back door in in TCL um and the thing about this television is it's it's everywhere if you look for that brand um

it's right across you know in all sorts of sensitive places in healthcare inside government airports like it's all over the shop right this is 2020 before some of the changes happen that made that less of a thing um but you know this actually I think potentially helped precipitate some of those changes yeah and you know ultimately what we did um aside from you know trying to work out any kind of safety concerns that he might have with with this kind of information was to get it into the hands of the right people um make sure that it was taken care of properly on on that end and it ended up escalating from DOD originally into DHS

and uh there was a you know very concerted response to that thank you feel like I'm leaning right in on this thing but it's all good we good so far yeah all right we are also coat six awesome so yeah what what happens when you push a bug's news Beyond its limits cuz like literally when this stuff dropped um basically we we got the information put it all together it went off into the high side and disappeared for a period and then this stuff started coming out of DHS and we realized it was the same thing um and what you know siik wanted to do um this was independent as a decision of his but he basically

wanted to push this news further same same idea it's like how do we how do we tell this story and make sure that the impact of this is is known because this has consequences um and it's probably not the only code of its nature that's out there in the wild right um one of the this is when we had the safety conversation there was a uh pretty dramatic stock hit um as as a result of this um and yeah basically the DHS were were incredibly um responsive to this particular piece of intelligence um and actually used it as a way to tell the story of you know the potential risk of foreign consumer equipment um and just

the fact that it's possible so it's not necessarily targeting you know China or a particular country it's like this is just a thing that we need to be aware of um in this case you know obviously they're calling China out but that was a big part of the the broader narrative as well so yeah pretty much um you know he found a bug in CCP owned stuff um Homeland Security takes it and runs with TCL as a suspected back door uh what he's calling out here is like what if that same type of security research had gone into some of the things that were ultimately exploited to create this outcome right interesting thought same thing with JBS so we're

talking about food this is the this is the you know the the food happy hack hackers kind of um theme but um you know personally I see this as a safety CR critical research issue and these kind of impacts these kind of consequences these kind of questions apply to how you focus your research if you're wanting to have this kind of Mark right grain Co-op you know there's a lot of stuff in here and we're actually going to go into this more on the next panel so I'll skip for a bit um yeah so ultimately the result of of uh some of the research um that he did on John di um and the conversations that

happened off the back that actually created and spawned really a task force of um you know around around agricultural connectivity um I think it actually got classed as a critical infrastructure domain at the at the same time so you know this s precipitated that um were there people already thinking about that type of thing probably um was this a massive Catalyst to it actually happening yes 100% um and you know what was observed at that point in time is that those tus those um task forces had a lot of attention uh you know the combination of the narrative that was around some of the stuff that he'd done and the fact that there is growing interest in this particular area

it drew attention to the right things now he's going back to the Colonial stuff like I said 24 hours ago

but yeah so you see the impact okay so what he's talking about here is how an incident actually creates the same effect like if you're talking about security research that's a friendly person you know ultimately in terms of their intent maybe as a recipient you're not comfortable talking to them yet but they don't have the goal of tanking a pipeline or doing anything like that the other version of that is when this happens so so Colonial pipeline does its thing um all of a sudden you know everyone pulled into that cost them 5 million from from a I hate it when people call extortion payments bounties but Bounty paid um and you know ultimately that that precipitated a lot

of activity around critical infrastructure itself and ransomware as well um JBS Foods similar sort of thing um 11 million paid out there yep um trade secret stolen AGCO all

right yes so this is tying into the fact that you know this is like we this is the whole I am the Cavalry tie in um and it's honestly a big part of the bug crowd story as well and what we do with discloser like there's not enough Talent that's directly accessible for organizations to proactively get ahead of these problems like we are going to be a catch all um in a lot of ways and that's ultimately an opportunity that we've got and to some extent I actually think it's a responsibility that we have as well this is an example of it actually working and causing change um so John Deere's response to this eventually was to spin up and get very

proactive on on on the security side um they did a bunch of stuff you know was it the right things wrong things won't go into that I know he has opinions on that one but they responded um and they spun up you know their own uh teams um they created challenges so so they actually moved like they went full 360 from trying to like just push the thing into the dark to actually encouraging events encouraging people to come in and do this type of work um they spun up a program on a platform that I've never heard of hey no offense it's I mean this is awesome like I don't care honestly who I do care from the entrepreneur haton um

who people work with but it's more important that the they just do it it's actually one of the reasons why discloser exists it's like you know what you don't need to be a bug Crow customer to do this you just need to do it so that's actually a good thing and shout out to

hackerone uh all right so this is really kind of the the sum of this very interesting talk um I did consider as a drum kit back there I I figured flipping the switch and saying this is going to be like a lead Zeppelin concert I'm just going to solo but hopefully this has been use useful in terms of some of the stuff that we've gone through you know asking yourself as researchers in the room and even you know folks that are adjacent folks that are in policy it's not just Hardware or web vulnerability research that's actually factoring into the stuff now like data is becoming more of a thing um you know as as everyone starts to turn

their attention towards Ai and ml that's becoming a thing um there's all of these different technical domains where regardless of what you do on that side you've actually got the ability to focus your efforts towards these kind of outcomes and you know do it the way he did it do it your own way doesn't really matter think about the kind of outp uh output that you can have um in terms of you know making things safer not just more secure um so that's the question you know how do I use research to make positive and meaningful change in the world we are all sit codes thank

you we should not let six replacement off so easily as this that was easy what so now is your opportunity to stump the champion if you have a a specific question regarding this matter uh respon uh coordinated vulnerability Etc this is your opportunity to talk to a rockar so if raise your hand I will run this mic over to you and then you can ask your thoughtful question or I'll play the drums of me an actual Rockstar either way all right you have to be on the drum s for this whole there go um okay so I'm curious your opinion on this obviously the juicier the target the bigger of an entity they are let's say you're a

security researcher and you find a problem yep you kind of have to take a deep breath and ask yourself okay am I going to open this can of worms by disclosing it and there's the whole pros and cons between private disclosure versus public disclosure obviously uh but I feel like by nature of public disclosure they're going to receive that information in the tone that they want to receive that in be it conf confrontational and I think more likely confrontational than friendly so if by default it's seen as an escalating action more often than not what would your thoughts be on the right way to communicate that stuff just so that you have the best chance possible at it

being received in a way that doesn't involve you know Federal authorities knocking on your door which is a real concern at least in the United States y even to this day even with advancements made in the public disclosure Place yeah for sure I do think on that last part it's less of a concern now with you know the doj charging rule changes um with cfaa and and and frankly a lot of the work that a lot of people in this room have done to make hacking safer for people that are operating in good faith but yeah it's still a risk right um and you know probably the better example there is the the version of um of that

that happened you know sik wasn't in the US when he found that t bu so there was like an actual door getting kicked down um risk factor associated with that disclosure so you know can't really fix that one going back to your question I think private is always the best initial approach um yeah for sure um I think as a as a kind of a a meta um kind of thought to that um just applying empathy like literally just put yourself in the shoes of the person receiving this issue like it's scary you have someone coming from the outside world and tell you that your baby's ugly right if that's happening to you for the first time like

how are you going to react it's going to be immediately defensive and that's that's human nature I actually don't think that that's necessarily a bad thing it's to me more a a conversation about anticipating that type of reaction and trying to figure out to your question how to get it done anyway right um so I think beyond that really it comes down to whether or not you feel like they're operating in good faith you know some of the stuff some of the stuff that um sik went through in this talk around you know the initial interactions that he had to him indicated the fact that this might get brushed under the carpet so at that at that point he chose

to escalate um do more research you know the hacker challenge piece came into it as well but in terms of how he's telling that story it's going to be your mileage may very I think for the better part which is a terrible answer but like every bug's a snowflake you know every researcher is unique every disclosure is unique every company is unique as well um so yeah that would be my my probably main two answers to that like just put yourself in their shoes before you do anything if you're pissed off stop and wait until you're not pissed off cuz this can get irritating sometimes if you're trying to get the thing across and it feels like you're shouting down a

well um I've done like I've seen that and and Bug crowd has exposed me to thousands of people that have experienced that that's a very predictable thing as well so just think about you know all of that um and try to get it done try to get it fix because the the other downside with full disclosure is that you're exposing that information to people that might not be as well intended as you are um and there's a there's an equities conversation that comes up at that point right you know is this going to create more public impact if everyone knows about it um then it would if it was kept private that's a horrible this is the

whole reason why things like V inside the government are so complicated and and convoluted because that's a hard question to answer right but that's another thing to factor in welcome yeah thank you um firstly thank you for the talk I really appreciated it um I was just wondering I was really interested in how John Deere's response has now obviously changed they've got the challenge up and are they doing any kind of Public Announcement of the lessons they've learned in terms of their response to the initial approach from um sode only cuz I'm wondering if we're kind of preaching to the converted here right like how do we get how do we communicate with companies who take the

same approach that they took initially and sort of say like oh please don't talk to us and if you feel like you're under attack like are they going out to say this is a better way to do it and we should have done this sooner and if not how do we get them to do that yeah for sure like to me the the fact that they've gone out and proactively offered a vol a v disclosure program like that's that is to me an admission of the fact that yeah this happens like we know we're not perfect um and we know that sometimes things are going to get found outside we need to have a way to receive

that and here's the behavior that you can expect from us if you do that um you know one of the things that we did with disclos was to make sure that the language in briefs like that actually created a sense of Safe Harbor for the security researchers so that the uh the recipient couldn't suddenly change their mind or Cloud up and rain and all those different things but that to me an example of them actually acknowledging this and becoming proactive um I believe they've done uh like joint talks and and different things like like sick and John Deere made friends eventually um and I think there's been some stuff that they've actually done together to tell

this story you know particularly in places like Iowa um and you know areas where this is top of mind right um yeah maybe look into that because I'm I'm like 90% confident on that answer but yeah to me going back from that just the VDP in and of itself is a proactive measure uhoh uh thank you for for take for doing the presentation you did a great job thank um I know with with John Deere one of the reasons that that siik did not join their vulnerability disclosure program and he was the first person invited into it for obvious reasons um was that he felt like it was really just a way for them to get him to sign an NDA

that would then basically muzzle him and he didn't want to do that so he kind of joined it and then immediately left it y um I guess I'd ask you and I should point out I you're right I was the first person who said hey deer doesn't have any cves it wasn't actually my idea I got it from I think simple Nomad I don't know I can't remember yeah it was simple um but um so wasn't my idea but uh I think I'll note John Deere still does not have any publicly disclosed cves on the nist um vulnerability database nvd and um don't know of any plans for them to have them so I guess the question is

um as the operator of one of the largest you know bug Bounty platforms um how do we sort of thinking crawl walk run right how do we get vendors to a not just look at vulnerability disclosure programs as a way to muzzle researchers by getting them into ndas y b um kind of realize that you know programed platforms uh like bug crowd um great way to run both private uh Bounty programs and access that talent pool but also that they should probably have this larger you know kind of wisdom of the crowd approach right where you know the the downside is you are going to have some public cves the good side is you're going to have a lot more people looking

at your so like how do you kind of get them to engage in that I'm trying to enumerate that question back first things first if it's private it's not a VP right full stop okay um I think that's a definitional like that was a big part of the initial conversations that siik and I were having around this um you know companies that do that um and companies that let other companies do that like ultimately are doing a disservice to disclosure as a baseline operating principle of the internet right and that's the second problem is that you know through the last 10 years of of actually intermediating this and you know telling the crowdsourcing story as bug crowd like we kind of we're not

definitely not the only player in the category at this point in time but we're the first to actually go out and do that um and it was really trying to solve both problems like the problem of being able to receive input from the outside world regardless of how it came in because [ __ ] happens like sometimes you need a lightning rod do you know what I mean like lightning it's for it to hit the toit your and that's the lightning that's detering that not you so like that to me is the reactive thing that just needs to be ubiquitous the crowdsourcing piece to your point is about actually being able to engage a broad of Talon pool and the

problem that we have is that people confuse those Concepts um because they you get the same from both in a lot of ways um so you know I think telling like that's a marketing and education it's a policy issue you know we've had like hard conversations inside bug crowd where we've had to basically deny ourselves Revenue because we wouldn't do things that customers wanted us to do for this reason um and I think you know things like that are ultimately what need to happen in order to establish norms and best practice and all those different things like Theo played a big role in that as well yep satisfactory answer yes yeah cool kind of have a two-part question sure so

for organizations in your experience for getting into an integrated vulnerability management approach where trying to build out a buck exploration or a z day kind of a program first of all what do you consider as like building blocks in terms of maturity that an organization need to have and second part of that question is in terms of Return of investment how deep is too deep in terms of going into the rabbit hole in terms of yeah budget and time an organization should put into considering if they getting into this maturity at an early stage right um so my personal and very strong point of view on this is that every organization should have a vulnerability disclosure Program full

stop um for the reason that I just said before it's like lightning will eventually hit your house so put a rod up and that's something that one should do um that's a part of the reason you know a part of the driver behind all of the not frankly kind of bug crowd work I've done to affect policy in that direction because people need to know that the good thing about it is that you know transparency actually breeds maturity um or a perception of maturity which is trusted in the market so we're at a point now where companies actually are starting to want to do it because the consumer gets it it's like neighborhood watch for the internet I

understand that right so it's posit positive things that actually drive drive that that whole movement um probably the counter intuative opinion that I have is if you talk about a bug Bandy program as a vol disclosure program with rewards so like the this 853 R5 definition I don't think most companies should do that so if you're talking about going out to the open internet and saying hey we'll pay you if you can hack us and tell us what you found the problem that that creates is there isn't enough maturity to your point is the in ility to actually deal with that right like those bugs are still there those risks are still there there's still a problem but if you add

another problem on top of that then the original one's probably less likely to get solved at that point in time right so I think you know a robust Downstream remediation um process um you have vulnerability management like in the true sense inside the organization looking at things like you know ISO 33 what is it 30 triple1 I think um there's the two ISO standards 24197 which is intake outside in and there's 30 trip one which is what you do once you get the bat um you do need to have both right um where I disagree with some opinions that are out there on this is that on the VDP side like you don't need like you're out of time right like if

someone's found a thing you need to have a way to receive that so that's my kind of point of view on that hopefully I've answered second part maybe in terms of time and material what would you consider uh not going too deep into NAIT in terms of disclosure or in terms of Research In terms zeras as a as a hacker or as a recipient organization um sorry so I'm I'm just trying to I'm actually trying to pass the question a little bit so in terms of return on security investment how deep is too deep in terms of time and budgets for an organization should be invest in yeah how deep is too deep in terms of return

on investment um with the investment an organization makes in this type of thing you've got to be able to determine return on investment to answer that question in the first place and I think a lot of orgs struggle with that um you know if the entire focus of a security team is just on finding bugs then you're probably doing it wrong um and there's going to be a balancing act between defensive measures you know like what are you doing about like helping your engineers be better at not introducing the stuff in the future like there's all of these different things that go into that so yeah again it's a bit of a how long is a piece of string answer um but

those are the things to consider and I think for every organization it's going to be different because they've all got different gaps and different needs right Cloud native are going to find this easier because they can fix faster a 40-year old waterfall company is going to have a hard time with this stuff so the investment is going to be different hey yeah good afternoon thanks for really interesting talk um had a quick question for you um so the last like five years or so I've seen dhs's sisa grow from being a really immature organization that could barely spell vulnerability to a credible one that probably has relationships with much of the Fortune 500 uh so in cases where a

security researcher faces a adversarial relationship with a company they're you know they found a vulnerability and don't have a good way to to bring it to them uh what are your thoughts on I know this is sacrilege for many hackers here using using government uh to be that broker uh to to approach The Firm initially you can definitely do that um the challenge with that is that they're pretty busy uh and you've got to have you know I think those processes and like shout out and all power to the people that I know quite well who run them um they'll probably thank me for saying this um you got to have something that's impactful in a way that will actually

prioritize all of the other stuff they're getting so if you're sending them like 50 xss vs in some nothing site right you've just basically created load that they're not going to be able to help you with so again it's an equities thing um you know I do think uh you know there's other ways to do that um you know Community adop disclose iio as a way to basically get help from people you know there was a period in time and shout out to everyone in the room who's in this bucket where if you weren't able to get information into the right hands you tweet about it and then someone would eventually tap me on the shoulder

and then I'd find someone I knew and it would get done that way um that's basically what I just talked about it's basically a for that helps with that and and kind of scales that idea out um there's a lot of different things happening there but yeah I think I think centralization of of intake it's risky like I mean you think about what we do we've got thousands of customers we sit we literally do that um and it's hard it's it's one of the reasons that what we do is you know people pay for it it's because it's really difficult so to apply that kind of solution across the entire net maybe not so much I I think it needs

to be distributed more than that Josh hey Josh hi this is sort of for both of your personalities um given this is the hungry hungry hackers thing we care about food targets s's been one of the few that has looked at and found vulnerabilities in the food supply not just heavy equipment but ice cream machines you know solar in the healthcare space Bo had a great idea of weart hackers so we initially started just listing all the medical device makers that had a disclosure program as like a wall of fame right then we had a weart hackers Challenge from the regulator to say will you bring your stuff to Defcon the biohacking village now it's in the patch

act it's like to to make a new medical device come to Market you have to have a coordinate vulnerability disclosure program yep has any discussion between you and siik or Paul maybe this can bleed in the next panel like can we replicate that recipe to accelerate the number of participants from the vend Community but also the number of participants from this community so we target the right equipment that has the highest impact and maybe short circuit what was a 9e journey until maybe like cou establish saying baselines from a hygiene standpoint all that kind of stuff as well there's some private events and like corn con has some of these things but is there a discussion

about getting to critical mass yeah so so we've he and I have definitely talked about that he's he's a hardware guy um and and you know these kind of domains tend to have a lot of Hardware in them so it's a topic of conversation that we have a lot um I think one of the areas uh that validates what you're talking about um we got pulled into election security um in a pretty heavy way in in 2018 um and that's a 5year cycle ultimately in terms of some of the stuff that's popping out it followed the exact same story arc right um and I think you know lather repeat like the more the more scalable

like the more repeatable this journey of like ah what the hell are you talking about like are you you know trying to tank my company through are doing the right thing and the best thing um and then the more you know that can be made appealing to organizations I think the better and at the same time actually regulating it and having stick is is pretty important too okay we've got one last question before we're going to wrap up six presentation because we we have to assemble I'll go I'll go put a suit and tie on a wonderful a wonderful panel presentation you're not going to want to miss so here is our last question sorry to come back around but I was just

Googling something and I thought this was pretty interesting John Deere having no cves is 84th on the Fortune 500 list so thinking more about what you just said about how we take something repeatable how many other Fortune 500 companies have zero cves yep and I think that's an interesting thought for everyone here to kind of go home with and see what you can make happen from that yeah I mean to me it goes back to some of the stuff we were talking about over here before around like transparency is ultimately anti fragile so like you put the computer science hat on and think about it at a system thinking level that's just true so the

closer you can get to that the more resilient you're going to be but it converts to Consumer trust as well at this point in time is starting to and I think for us like helping you know the marketers in the room or the the folks that straddle this kind of work and communication or policy helping people tell that story and actually getting more interest in in seeing organizations do this well I think that creates a virtu loop that we at the beginnings of but I think that could be a lot more effective as the way we get this solved okay please join me in thanking Casey and sick for a fabulous joint presentation thank you